In last post i showed how you can integrate Azure Media Services Key Delivery service functionality with JWT token obtained from Azure Active Directory.Sample code mentioned in article located in Key-delivery-with-AAD-integration repository. In previous version of sample i used JWT token acquired to communicate with Azure Graph API and pass it to Key Delivery service .

Based on received feedback example has been updated to use JWT token issued to your web application instead . It is done because you have control to configure that group claims will be present in JWT token. Also you might not have a requirements to talk with Azure Graph API in your app. Azure is planing to remove group claims from JWT token issued for Azure Graph API.

You should not rely on group claims existence in JWT token issued for Azure Graph API if you want to use key delivery token auth based on group claims. You should use JWT token received as part of user authentication process for your app.
Updated OWIN Auth configuration

Also Azure Media Services SDK has been changed to loose contact restriction and allow TokenRestrictionTemplate.Issuer and TokenRestrictionTemplate.Audience to be a string instead of URI type. JWT token obtained from Azure AD during user sign in process has string representation of GUID in Audience claim. In JWT token scenario Media services SDK allows to specify Issuer and Audience as string of any format. For SWT token scenario it should be string representation of absolute Uri.

Please note that  TokenRestrictionTemplate.Issuer and TokenRestrictionTemplate.Audience type changes in SDK is breaking change  and you have to update TokenRestrictionTemplate related code once you upgraded to version.

Also if you implement group based token authentication following my previous version of sample you have to change your code according to updated repo in order to have your solution continue to work .